Limiting exposure of your deployment

The Spotfire Service for Python is installed on a Spotfire Server node running under Linux or Windows. The Linux installation provides the option of running the Spotfire Service for Python in a containerization platform.

When you install the Spotfire Service for Python and run the Python engine, you can take steps to protect the server deployment, to minimize the risk of unauthorized access, and to minimize the possibility of malicious acts.

Statistical engines such as Python provide functions to access data and packages on the internet. Additionally, they have functions that access the host computer system, such as those for executing system commands, and those for reading and writing files. By their very design, these languages can expose computer systems to risk from bad actors, unless the deployer takes steps to secure the environments in which they run. We strongly recommend reviewing and implementing the practices described here.

Note: The Spotfire Service for Python installed on a Spotfire Server node running under Windows does not have a containerized installation available.

Restricting user access

Run the Spotfire Service for Python using an account that limits network access to required external data sources and services only. (Note that taking this step can limit availability to data and package updates.)
Always run the node manager containing the Spotfire Service for Python as a non-root user. (That is, not as root or under an Administrative account.)
If you are running a system where other servers have access to computers running the Spotfire Service for Python, disable passwordless access between the server and other servers.

Configuring for tighter engine control

If your deployment is on a Linux server, then the default configuration for the Spotfire Service for Python is to use containers (the property use.engine.containers: TRUE). Running the Spotfire Service for Python with containers enabled prevents the engines from having access to the host system. See Containerized Service for more information.
Note: Docker is available under separate software license terms and is not part of the Spotfire Server or the Spotfire Service for Python. As such, Docker is not within the scope of your license for Spotfire Server or the Spotfire Service for Python. Docker is not supported, maintained, or warranted in any way by Cloud Software Group, Inc. Download and use of Docker is solely at your own discretion and subject to license terms applicable to Docker.